Headers worth trying for (probably) unintended bypasses:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
https://learn.microsoft.com/en-us/answers/questions/1290318/azure-application-gateway-adds-6-additional-header
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host